I hereby claim:
- I am mhaggis on github.
- I am mhaggis (https://keybase.io/mhaggis) on keybase.
- I have a public key whose fingerprint is FDB2 37EB CB74 CDB8 509B F1F6 DBDE 16A6 A0D4 DB9D
To claim this, I am signing this object:
jjj | |
jjj | |
jjjj | |
jjjj | |
jjjj | |
jjjj | |
jjjj | |
Ajj | |
jjj | |
jjjj |
I hereby claim:
To claim this, I am signing this object:
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Empire" | |
progid="Empire" | |
version="1.00" | |
classid="{20001111-0000-0000-0000-0000FEEDACDC}" | |
> | |
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll --> |
<Sysmon schemaversion="3.20"> | |
<HashAlgorithms>md5,imphash</HashAlgorithms> | |
<EventFiltering> | |
<ProcessCreate onmatch="include"> | |
<Image condition="contains">cmd.exe</Image> | |
<Image condition="contains">powershell.exe</Image> | |
<Image condition="contains">wmic.exe</Image> | |
<Image condition="contains">cscirpt.exe</Image> | |
<Image condition="contains">wscript.exe</Image> | |
<Image condition="contains">net.exe</Image> |
<!-- | |
sysmon-config | A sysmon configuration for everyone | |
Public Version: 30 | |
By @SwiftOnSecurity, with contributors credited in-line or on Git | |
https://github.com/SwiftOnSecurity/sysmon-config | |
Required Sysmon version: 5.02 | |
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx | |
NOTE: There is best-effort support for 32-bit systems, but it's not a test scenario and will require your own tuning. |
<AppLockerPolicy Version="1"> | |
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" /> | |
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> | |
<RuleCollection Type="Exe" EnforcementMode="AuditOnly" /> | |
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> | |
<RuleCollection Type="Script" EnforcementMode="NotConfigured"> | |
<FilePathRule Id="02cc3f4e-9ecb-4962-a7a0-830e889da641" Name="%OSDRIVE%\Users\%USERPROFILE%\Appdata\roaming\*.js" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> | |
<Conditions> | |
<FilePathCondition Path="%OSDRIVE%\Users\%USERPROFILE%\Appdata\roaming\*.js" /> | |
</Conditions> |
{ | |
"wmic": { | |
"process_name": ["wmic.exe"], | |
"cmdline": ["wmic shadowcopy delete"] | |
}, | |
"Vssadmin": { | |
"process_name": ["vssadmin.exe"], | |
"cmdline": ["vssadmin delete shadows /all /quiet"] | |
}, | |
"bcdedit": { |
{ | |
"Backblaze": { | |
"process_name": ["bztransmit.exe"] | |
}, | |
"Box": { | |
"process_name": ["boxsync.exe", | |
"boxsyncmonitor.exe", | |
"syncupdaterservice.exe"] | |
}, | |
"Carbonite": { |
# ingress.event.process | |
# ingress.event.procstart | |
# ingress.event.netconn | |
# ingress.event.procend | |
# ingress.event.childproc | |
# ingress.event.moduleload | |
# ingress.event.module | |
# ingress.event.filemod | |
# ingress.event.regmod | |
# ingress.event.tamper |
# ingress.event.procstart | |
# ingress.event.netconn | |
# ingress.event.processblock | |
# ingress.event.emetmitigation | |
# watchlist.hit.process | |
# watchlist.hit.binary | |
# watchlist.storage.hit.process | |
# watchlist.storage.hit.binary |